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(57) Abstract: An on-line value bearing item (VBI) printing system that includes one or more cryptographic modules and a secure 
database is disclosed. The secure database has the ability to recover data in case of a database failure and includes account balances 
and other information for all of the on-line value-bearing item system customers and is capable of preventing access by unauthorized 
users. Also, a secure communication network is in operation to prevent unauthorized access to the "users' data stored in the data- 
base. A plurality of subsystems located on the server system side of the on-line VBI system provide services related to purchasing, 
accounting, and printing of VBI. Preferably, these services run on multiple server machines allowing the system to be scalable. The 
number of the servers can easily be increased to meet the growing needs of the subsystems as the numbers of transactions and users 
increase. The growing number of servers will not impact the performance of the on-line postage system, because the design of the 
on-line postage system allows for scalability. 
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1 METHOD AND APPARATUS FOR ON-LINE 

VALUE-BEARING ITEM SYSTEM 

FIELD OF THE INVENTION 
5 The present invention relates to secure printing of value-bearing items (VBI) preferably 

such as postage, tickets, and coupons. More specifically, the invention relates to a secure and 
recoverable on-line system for validating and printing VBI in a Wide Area Network (WAN) 
environment. 

10 BACKGROUND OF THE INVENTION 

A considerable percentage of the United States Postal Service (USPS) revenue is from 
metered postage. Metered postage is generated by utilizing postage meters that print a special 
mark, also known as postal indicia, on mail pieces. Generally, printing postage and any VBI can 
be carried out by using mechanical meters or computer-based systems. 
15 With respect to computer-based postage processing systems, the USPS under the 

Information-Based Indicia Program (IBIP) has published specifications for IBIP postage meters 
that identify a special purpose hardware device, known as a Postal Security Device (PSD) that 
is generally located at a user's site. The PSD. in conjunction with the user's personal computer 
and printer, functions as the IBIP postage meter. The USPS has published a number of 
20 documents describing the PSD specifications, the indicia specifications and other related and 
relevant information. There are also security standards for printing other types of VBls. such as 
coupons, tickets, gift certificates, currency, voucher and the like. 

A significant drawback of existing hardware-based systems is that a new PSD must be 
locally provided to each new user, which involves significant cost. Furthermore, if the additional 
25 PSD breaks down, service calls must be made to the user location. In light of the drawbacks in 
hardware-based postage metering systems, a software-based system has been developed that does 
not require specialized hardware for each user. The software-based system meets the IBIP 
specifications for a PSD. using a centralized server-based implementation of PSDs utilizing one 
or more cryptographic modules. The system also includes a database for all users' information 
30 The software-based system, however, has brought about new challenges. 

The system should also be able to handle minor and catastrophic database failures without 
impacting the integrity of the on-line VBI system and provide for recovery of the database to 
minimize or eliminate the loss of data. In a hardware-based system, security is generally handled 
by the local hardware piece, that is unique to each user and includes a cryptographic module that 
encrypts that user s information. System recovery can generally be handled by replacing the 
corrupted local hardware pieces for each user that stores that user's information, however. "data 
specific to that user may be lost. Nevertheless, for a software-based system, the system need to 
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be configured to handle such database failures without sacrificing a major data loss and system 
security. 

Therefore, there is a need for a new method and apparatus for implementation of an IBIP 
postage meter and other value-bearing items over a WAN that does not require the special 
purpose hardware device at the user site. Furthermore, there is a need for a secure and 
recoverable database in an on-line VBI system that is capable of preventing unauthorized access 
and handling minor and catastrophic database failures without impacting the integrity of the 
system. 

SUMMARY OF THE INVENTION 

In accordance with the present invention, a scalable on-line VBI system has been designed 
for printing VBI in a WAN environment that preferably meets the published USPS, and other 
VBI requirements. A plurality of subsystems located on the server system side of the system 
provide services related to purchasing, accounting, and printing of postage. Preferably* these 
services run on multiple server machines allowing the system to be scalable. The number of the 
servers can easily be increased to meet the growing needs of the subsystems as the numbers of 
transactions and users increase. The growing number of servers will not impact the performance 
of the on-line VBI system, because the design of the system allows for scalability. 

One or more cryptographic modules are responsible for creating multiple PSDs and 
manipulating the PSDs data for security. The number of the cryptographic modules can also be 
easily increased to meet the growing needs of the system. 

All of the transaction processing functions are performed in the servers. By locating the 
transaction processing functions in the servers, increases in number of transactions can easily be 
handled by adding additional servers. Additionally, the transactions are stateless, meaning they 
are not tied to one machine, so multiple server machines can service each functional subsystem 
allowing additional hardware to be added easily and painlessly to each subsystem in order to 
handle increased processing loads. Further, load balancing modules are used to distribute traffic 
among the various servers. 

In addition, a schema design, in which the information containing location and format of 
the data is in machine-readable format, allows for data to be partitioned across multiple physical 
databases. The schema identifies how and where the data is located on the physical databases, 
therefore, it allows for the data to be partitioned across multiple physical databases. This 
provides for scalability as the number of users grows, because the schema can be readily updated 
to add new physical databases, to be spread across the database subsystem. 

One aspect of the present invention describes a scalable on-line system for printing value 
bearing items (VBI) comprising: a client system for interfacing with one or more users; and a 
scalable server system capable of communicating with the client system over a communication 
network. The scalable server system includes a database . remote from the users including 
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information about the users; a stateless cryptographic module for authenticating the one or more 
users; and a plurality of security device transaction data stored in the database for ensuring 
authenticity of the one or more users, wherein each security device transaction data can be 
processed in the server system in a stateless manner. 

Another aspect of the present invention describes a method for printing value-bearing 
items (VBI) via a communication network including a client system, and a scalable server 
system. The method comprises the steps of: interfacing with one or more users via the client 
system; communicating with the client system over the communication network; storing user 
information in a database accessible through the network: authenticating the one or more users 
using a scalable cryptographic module; and storing in the database a plurality of security device 
transaction data for ensuring authenticity of the one or more users, wherein each security device 
transaction data can be processed in the server system in a stateless manner. 

It is to be understood that the present invention is useful for printing not only postage, but 
any value bearing items, such as coupons, tickets, gift certificates, currency, voucher and the like. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The objects, advantages and features of this invention will become more apparent from 
a consideration of the following detailed description and the drawings, in which: 

FIG. 1 is a block diagram for the client/server architecture of one embodiment of the 
present invention; 

FIG. 2 is a block diagram of a remote user computer connected to a server via Internet; 

FIG. 3 is a block diagram of one embodiment of postage servers; 

FIG. 4 is a block diagram of servers, databases, and services provided by one embodiment 
of the present invention; 

FIG. 4A is a block diagram of servers, databases, and services provided by one 
embodiment of the present invention; 

FIG. 5 is a block diagram of further servers, databases, and service's provided by one 
embodiment of the present invention; 

FIG. 6 is a block diagram of some of the hardware components that provide security and 

back up to a database; and 

FIG. 7 is a block diagram of a client software, a cryptographic module, and a typical 
transaction between them during an operational state. 

DETAILED DESCRIPTION 

In one aspect, the system and method of the present invention prevent unauthorized 
electronic access to a database subsystem and secure customers' related data, among others. One 
level of security is achieved by protecting the database subsystem by a postal server subsystem. 
The postal server subsystem controls preferably, all communications with the database subsystem 
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by executing an autiientication algorithm to prevent unauthorized access. Another level of 
security is achieved by encrypting preferably, all communications between the client system and 
the postal server subsystem, the encryption-decryption function is employed using commonly 
known algorithms, such as. Rivest. Shamir and Adleman ("RSA") public key encryption. DES. 
Triple-DES, Pseudo-random number generation, and the like algorithms. Additionally. DSA 
signature, and SHA-1 hashing algorithms may be used to digitally sign a postage indicium. 

Another measure of security is the interaction between a cryptographic module and the 
database subsystem whenever a PSD transaction (security device transaction) is initiated. The 
cryptographic module and the database subsystem cross-verify the last PSD transaction (security 
device transaction) before proceeding with the next PSD transaction. If the last transaction 
record in the cryptographic module and the database subsystem do not match, then the on-line 
VBI system shuts down until the situation can be investigated. This verification process protects 
against attempts of unauthorized individuals to replace the database subsystem. The registers in 
the cryptographic modules are cryptographically protected to achieve another level Of security . 

An exemplary on-line postage system is described in U.S. patent Application No. 
09/163.993 filed September 15. 1998, the entire contents of which are hereby incorporated by- 
reference herein. The on-line postage system includes an e protocol that operates in conjunction 
with the USPS requirements. The system utilizes on-line postage system software comprising 
user code that resides on a client system and controller code that resides on a server system. The 
on-line postage system allows a user to print a postal indicium at home, at the office, or any other 
desired place in a secure, convenient, inexpensive and fraud-free manner. The system comprises 
a user system electronically connected to a server system, which in tum is connected to a USPS 
system. 

Each of the cryptographic modules may be available for use by any user. When a user 
requests a PSD service, one of the available modules is loaded with data belonging to the user's 
account and the transaction is performed. When a module is loaded with a user's data .that 
module becomes the user's PSD. The database record containing each "users PSD data is 
referred to as the "PSD package" (security device transaction data). After each PSD transaction 
is completed, the user's PSD package is updated and returned to a database external to the 
module. The database becomes an extension of the module's memory and stores not only the 
items specified by the 1BIP for storage inside the PSD, but also the user's personal cryptographic 
keys and other security relevant data items (SRD1) and status information needed for continuous 
operation. Movement of this sensitive data between the modules and the database is secured to 
ensure that PSD packages could not be compromised. 

In one embodiment, the server system is remotely located in a separate location from the 
client system. All communications between the client and the server are preferably accomplished 
via the Internet. FIG. 1 illustrates a remote client system 220a connected to a server system 102 
via the Internet 221 . The client system includes a processor unit 223, a monitor 230, printer port 
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106* a mouse 225, a printer 235, and a keyboard 224. Serversystem 102 includes Postage servers 
109, Database 130, and cryptographic modules 110. 

An increase in the number of servers within the server system 102 will not negatively 
impact the performance of the system, since the system design allows for scalability. The Server 
system 102 is designed in such a way that all of the business transactions are processed in the 
servers and not in the database. By locating the transaction processing in the servers, increases 
in the number of transactions can be easily handled by adding additional servers. Also, each 
transaction processed in the servers is stateless, meaning the application does not remember the 
specific hardware device the last transaction utilized. Because of this stateless transaction design, 
multiple servers can be added to each appropriate subsystem in order to handle increased loads. 

Furthermore, each cryptographic module is a stateless device, meaning that a PSD package 
can be passed to any device because the application does not rely upon any information about 
what occurred with the previous PSD package. Therefore, multiple cryptographic modules can 
also be added to each appropriate subsystem in order to handle increased loads. A PSD package 
for each cryptographic module is a database record, stored in the server database, that includes 
information pertaining to one customer's service that would normally be protected inside a 
cryptographic module. The PSD package includes all data needed to restore the PSD to its last 
known state when it is next loaded into a cryptographic module. This includes the items that the 
1BIP specifications require to be stored inside the PSD, information required to return the PSD 
to a valid state when the record is reloaded from the database, and data needed for record security 
and administrative purposes. 

In one embodiment, the items included in a PSD package include ascending and 
descending registers (the ascending register " AR" records the amount of postage that is dispensed 
or printed on each transaction and the descending register t4 DR" records the value or amount of 
postage that may be dispensed and decreases from an original or charged amount as postage is 
printed.), device ID, indicia key certificate serial number, licensing ZIP code, key token for the 
indicia signing key, the user secrets, key for encrypting user secrets, data and time of last 
transaction, the last challenge received from the client, the operational state of the PSD, 
expiration dates for keys, the passphrase repetition list and the like. 

As a result, the need for specific PSDs being attached to specific cryptographic modules 
is eliminated. A Postal Server subsystem provides cryptographic module management services 
that allow multiple cryptographic modules to exist and function on one server, so additional 
cryptographic modules can easily be installed on a server! The Postal Sever subsystem is easy 
to scale by adding more cryptographic modules and using commonly known Internet load- 
balancing techniques to route inbound requests to the new cryptographic modules. 

Referring back to FIG. 1, Postage servers 109 include one or more Postal servers and 
provide indicia creation, account maintenance, and revenue protection functionality for the 
exemplary on-line postage system. The Postage servers 1 09 may include several physical servers 
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in several distinct logical groupings, or services as described below. The individual servers could 
be located within one facility, or in several facilities, physically separated by great distance but 
connected by secure communication links. 

Cryptographic modules 1 1 0 are responsible for creating PSDs and manipulating PSD data 
to protect sensitive information from disclosure, generating the cryptographic components of the 
digital indicia, and securely adjusting the user registration. When a user wishes to print VBI , 
for example, postage or purchase additional VBI or postage value, a user state is instantiated in 
the PSD implemented within one of the cryptographic modules 110. Database 1 1 1 includes all 
the data accessible on-line for indicia creation, account maintenance, and revenue protection 
processes. Postage servers 109, Database 130, and cryptographic modules 1 10 are maintained 
in a physically secured environment such as a vault. 

FIG. 2 shows a simplified system block diagram of a typical Internet client/server 
environment used by an on-line VBI system in one embodiment of the present invention. PCs 
220a-220n used by the postage purchasers are connected to the Internet 221 through the 
communication links 233a-233n. Each PC has access to one or more printers 235. Optionally, 
as is well understood in the art a local network 234 may serve as the connection between some 
of the PCs, such as the PC 220a and the Internet 221 or other connections. Servers 222a-222m 
are also connected to the Internet 221 through respective communication links. Servers 222a- 
222m include information and databases accessible by PCs 220a-220n. The on-line VBI system 
of the present invention resides on one or more of Servers 222a-222m. 

In this embodiment, each client system 220a-220m includes a CPU 223, a keyboard 224, 
a mouse 225, a mass storage device 231, main computer memory 227, video memory 228, a 
communication interface 232a, and an input/output device 226 coupled and interacting via a 
communication bus. The data and images to be displayed ori the monitor 230 are transferred first 
from the video memory 228 to the video amplifier 229 and then to the monitor 230. The 
communication interface 232a communicates with the servers 222a-222m via a network link 
233a. The network link connects the client system to a local network 234." The local network 
234 communicates with the Internet 221. 

In one embodiment, a customer, preferably licensed by the USPS and registered with an 
IBIP vendor (such as Stamps.com), sends a request for authorization to print a desired amount 
of VBI, such as postage. The server system verifies that the user' s account holds sufficient funds 
to cover the requested amount of postage, and if so, grants the request. The server then sends 
authorization to the client system. The client system then sends image information for printing 
of a postal indicium for the granted amount to a printer so that the postal indicium is printed on 
an envelope or label. 

In one embodiment, when a client system sends a VBI print request to the server system, 
the request needs to be authenticated before the client system is allowed to print the VBI, and 
while the VBI is being printed. The request is cryptographically authenticated using an 
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authentication code. The client system sends a password (or passphrase) entered by a user to the 
server for verification. If the password fails, a preferably asynchronous dynamic password 
verification method terminates the session and printing of the VBI is aborted. Also, the server 
system communicates with a system located at a certification authority for verification and 
authentication purposes. 

In one embodiment, the information processing components of the on-line VBI system 
include a client system, a postage server system located in a highly secure facility, a USPS system 
and the Internet as the communication medium among those systems. The information 
processing equipment communicates over a secured communication line. 

Preferably, the security and authenticity of the information communicated among the 
systems are accomplished on a software level through the built-in features of a Secured Socket 
Layer (SSL) Internet communication protocol . An encryption hardware module embedded in the 
server system is also used to secure information as it is processed by the secure system and to 
ensure authenticity and legitimacy of requests made and granted. 

The on-line VBI system is based on a client/server architecture. Generally, in a system 
based on client/server architecture the server system delivers information to the client system. 
That is- the client system requests the services of a generally larger computer. In one 
embodiment, the client is a local personal computer and the server is a more powerful group of 
computers that house the information. The connection from the client to the server is made via 
a Local Area Network, a phone line or a TCP/IP based WAN on the Internet or any other types 
of communication links such as wireless or satellite links. A primary reason to set up a 
client/server network is to allow many clients access to the same applications and files stored on 
the server system. 

The on-line VBI system does not require any special purpose hardware for the client 
system. The client system is implemented in the form of software that can be executed on a user 
computer (client system) allowing the user computer to function as a virtual VBI meter. The 
software can only be executed for the purpose of printing the VBI indicia when the user computer 
is in communication with a server computer located, for example, at a VBI meter vendor's 
facility (server system). The server system is capable of communicating with one or more client 
systems simultaneously. 

In one embodiment, the on-line system includes the following subsystems: the Database 
subsystem, the Postal Server subsystem, the Provider Server subsystem, the E-commerce 
subsystem, the Staging subsystem, the Client Support subsystem, the Decision Support 
subsystem, the SMTP subsystem, the Address Matching service (AMS) subsystem, the SSL 
Proxy Server subsystem and the Web Server subsystem, and the like, as shown in FIGs. 4 and 
4A. Preferably, the Database, Postal Server, Provider, E-commerce, Client Support Services, 
SMTP, AMS ? SSL Proxy Server, Web Server subsystems, and Staging subsystems reside in the 
vault while the Decision Support Services reside outside the vault. 
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Postage servers 109 in FIG. 1 include a string of servers connected to the Internet for 
example, through a Tl line, and are preferably protected by a firewall. The firewall permits a 
client to communicate with a server system, only if the information packet transmitted by the 
client system complies with a security policy set by the server system. The firewall not only 
protects the system from unauthorized users on the Internet it also separates the Public Network 
(PUBNET) from the Private Network (PRVNET). This ensures that packets from the Internet 
will not go to any location but the PUBNET- The string of servers form the different subsystems 
of the postal system. The services provided by the different subsystems of the on-line VBI 
system are designed to allow flexibility and expansion and reduce specific hardware dependancy . 

The Database subsystem is comprised of multiple databases. FIG. 4 illustrates an 
exemplary Database subsystem which includes the Postal Database 47. Postal Database 
Management System 47 A, the Provider Database 42, Provider Database Management System 
42A, the E-commerce Database 46, E-commerce Database Management System 46A, the 
Membership Database 48, the Membership Database Management System 48A, the Staging 
Services Database 49, and the Staging Services Database Management System 49A protected by 
firewall 40. Different portions of the Database subsystem are described below. Also, the 
databases are referred to as a portion of the Database subsystem after an initial reference as the 
subsystem database (e.g., Postal Database first, then Postal portion of the Database subsystem). 
A secure standby backup database server (not shown) mirrors the primary database server to 
minimize the impact of any interruption of the primary database server. 

The Postal Server subsystem 4 1 manages client and remote administration access to server 
functionality, authenticates clients and allows clients to establish a secure connection to the on- 
line VBI system. The Postal Server subsystem also manages access to USPS specific data such 
as PSD information and a user's license information. Ths Postal Server subsystem queries the 
Postal portion of the Database subsystem for the necessary information to complete the task. The 
query travels through the firewall 40 to the Postal portion of the Database subsystem. The Postal 
Server subsystem is the subsystem in the Public Network that has access to the Database 
subsystem. 

In one embodiment, the Database subsystem is comprised of multiple databases, as shown 
in FIG. 4A. In this embodiment, the Database 41 1 includes the Affiliate DBMS and the Source 
IDs DBMS. The Affiliate DBMS manages affiliate information (e.g., affiliate's name, phone 
number, and affiliate's Website information) that is stored on the Affiliate Database. Using the 
data from this database, marketing and business reports are generated. The Source IDs Database 
contains information about the incoming links to the vendor's Website (e.g., partners' 
information, what services the vendor offers, what marketing program is associated with the 
incoming links, and co-branding information). Using the data from this database, marketing and 
business reports are generated. 



WO 01/29778 PCT/US00/41201 

The Online Store Database 41 2 contains commerce product information, working orders, 
billing information, password reset table, and other marketing related information. Website 
database 410 keeps track of user accesses to the vendor website. This database keeps track of 
user who access the vendor website, users who are downloading information and programs, and 
the links from which users access the vendor website. After storing these data on the Website 
Database 4 1 0. software tools are used to generate the following information: 

Web Site Status 

Web Site Reports 

• Form Results 

• Download Successes 

Signup, Downloads, and Demographic Graphs 

• Web Server Statistics (Analog) 

Web Server Statistics (Web Analyzer) 

Offline database 409 manages the VBI data (except meter information), postal transactions 
data, financial transactions data (e.g., credit card purchases, free postage issued, bill credits, and 
bill debits), customer marketing information, commerce product information, meter license 
information, meter resets, meter history, and meter movement information. Consolidation Server 
413 acts as a repository for data, centralizing data for easy transportation outside the vault 400. 
The Consolidation Server hosts both file and database services, allowing both dumps of activity 
logs and reports as well as a consolidation point for all database data. 

The Offline Reporting Engine MineShare Server 4 1 5 performs extraction transformation 
from the holding database that received transaction data from the Consolidated Database 
(Commerce database 406. Membership database 408. and Postal Database 407). Also, the 
Offline Reporting Engine MineShare Server handles some administrative tasks. Transaction data 
in the holding database contains the transaction information about meter licensing information, 
meter reset information, postage purchase transactions, and credit card transactions. After 
performing extraction transformation, business logic data are stored on Offline Database 409. 
Transaction reports are generated using the data on the Offline Database. Transaction reports 
contain marketing and business information. 

The Data Warehouse database 4 1 4 of FIG . 4 A includes all customer information, financial 
transactions, and aggregated information for marketing queries (e.g., how many customers have 
purchased postage). In one embodiment, commerce Database 406 includes a Payment Database, 
an E-mail Database, and a Stamp Mart Database. The E-mail DBMS manages access to the 
contents of e-mail that were sent out to everyone by vendor servers. The Stamp Mart database 
handles order form processing. The E-commerce Server 404 provides e-commerce related 
services on a user/group permission basis. It provides commerce-related services such as 
payment processing, pricing plan support and billing as well as customer care functionality and 
LDAP membership personalization services. 
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A Credit Card Service is invoked by the E-commerce Server 404 to authorize and capture 
funds from the customer's credit card account and to transfer them to the vendor's merchant 
bank. A Billing Service is used to provide bills through e-mail to customers based on selected 
billing plans An ACH service runs automatically at a configurable time. It retrieves all pending 
ACH requests and batches them to be sent to bank for postage purchases (i.e. money destined for 
the USPS), or Chase for fee payments which is destined for the vendor account 

The E-commerce DBMS 406 manages access to the vendor specific Payment Credit Card, 
and Email Databases. A Membership DBMS manages access to the LD AP membership directory 
database 408 that hosts specific customer information and customer membership data. A Postal 
DBMS manages access to the Postal Database 407 where USPS specific data such as meter and 
licensing information are stored. A Postal Server 401 provides secure services to the Client 
including client authentication, postage purchase, and indicia generation. The Postal Server 
requires cryptographic modules to perform all functions that involve client authentication, 
postage purchase, and indicia generation. 

Postal Transaction Server 403 provides business logic for postal functions such as device 
authorization and postage purchase/register manipulation. The Postal Transaction Server requires 
the cryptographic modules to perform all functions. There are four Client Support Servers: 
Address Matching Server (AMS) 41 7 verifies the correct address specified by a user. When the 
user enters a delivery address or a return address using the Client Software, the user does not 
need the address matching database on the user's local machine to verify the accuracy of the 
address. The Client software connects to the vendor's server and uses the central address 
database obtained from the USPS to verify the accuracy of the address. If the address is 
incorrect the client software provides the user with a prioritized list of addresses to match the 
correct address. These choices are ranked in a user definable order. This information is 
represented using a plain text format. 

The Client Support Servers 4 1 7 of FIG. 4A provides the following services: a Pricing Plan 
service, an Auto Update service, and a Printer Config service. The Pricing Plan Service provides 
information on pricing plans and payment methods available to the user. It also provides what 
credit cards are supported and whether ACH is supported. This information is represented 
preferably using a plain text format. The Auto Update Service verifies whether the user is 
running the latest Client Software. If there is newer Client Software, the Auto Update Server 
downloads the new patches to the user computer. The Client Support Database has tables for the 
client software update information. This information is represented using a plain text format. 

Before the user tries to print postage, the user sends his or her printer driver information 
over the Internet in plain text. The Printer Config Service looks up the printer driver information 
in the Printer Driver Database to determine whether the printer driver is supported or not. When 
the user tries to configure the printer, the user prints a test envelope to test whether the postage 
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printing is working properly or not This testing envelope information is sent over the Internet 
in plain text and is stored in the Client Support Database. 

MeterGen server 422 makes calls into the cryptographic module to create sufficient meters 
to ensure that the vendor can meet customer acquisition demands. SMTP Server 418 
communicates with other SMTP servers, and it is used to forward e-mail to users. Gatekeeper 
Server works as a proxy server by handling the security and authentication validation for the 
smart card users to access customer and administration information that reside in the vault. 

The Proxy Server 423 uses the Netscape™ Enterprise SSL library to provide a secure 
connection to the vault 400. Audit File Server 419 acts as a repository for module transaction 
logs. The Audit File Server verifies the audit logs that are digitally signed. The audit logs are 
verified in real time as they are being created. Postal Server writes audit logs to a shared hard 
drive on the Audit File Server. After these logs are verified, the Audit File Server preferably 
moves them from the shared hard drive to a hard drive that is not shared by any of the vendor 
servers. 

Provider Server provides reporting and external communication functionality including 
the following services. CMLS Service forwards license applications and it processes responses 
from CMLS. The CMLS Service uses cryptographic functions provided by the Stamps.com 
Crypt library to decrypt the usefs SSN/Tax ID/Employee ID. CMRS Service reports meter 
movement and resetting to the USPS Computerized Meter Resetting infrastructure. ACH Service 
is responsible for submitting ACH postage purchase requests to the USPS lockbox account at the 
bank. The CMLS Service uses cryptographic functions to decrypt the user's ACH account 
number. 

After decrypting ACH account information, the ACH is encrypted using the vendor's 
script library. Then, the encrypted ACH file is e-mailed to;the Commerce Group by the SMTP 
server. When the Commerce Group receives this encrypted e-mail, the vendor's Decrypt utility 
application is used to decrypt the ACH e-mail. After verifying the ACH information, the 
Commerce Group sends the ACH information through an encrypted device first and then uses 
a modem to upload the ACH information to a proper bank. The Certificate Authority issues 
certificates for all IBIP meters. The certificates are basically used to provide authentication for 
indicia produced by their respective meters. 

The following are exemplary steps describing the certificate authorization process: 

MeterGen asks the module to create a meter package, 

The module returns a package and the meter's public key, 

MeterGen creates a certificate request with the public key, signs the request with a USPS- 
issued smartcard, and submits the request to the USPS Certificate Authority, 
The Certificate Authority verifies the request came from the vendor then, it creates a new 
certificate and returns it to MeterGen, 
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MeterGen verifies the certificate using the USPS Certificate Authority's certificate (e:g.. 
to ensure it wasn't forged) and stores the certificate information in the package. The 
package is now ready to be associated with a customer. 

The Postal Server subsystem 401 of FIG. 4 A manages client and remote administration 
access to server functionality, authenticates clients and allows clients to establish a secure 
connection to the on-line VB1 system. The Postal Server subsystem also manages access to 
USPS specific data such as PSD information and a user's license information. The Postal Server 
subsystem queries the Postal portion of the Database subsystem for the necessary information to 
complete the task. The query travels through the firewall to the Postal portion of the Database 
subsystem. The Postal Server subsystem is the subsystem in the Public Network that has access 
to the Database subsystem. 

In one embodiment of the present invention. Postal Server 401 is a standalone server 
process that provides secure connections to both the clients and the server administration utilities, 
providing both client authentication and connection management functionality to the system. 
Postal Server 401 also houses postal-specific services that require high levels of security, such 
as purchasing postage or printing indicia. Postal Server 401 is comprised of at least one server, 
and the number of servers increases when more clients need to be authenticated, are purchasing 
postage or are printing postage indicia. 

In one embodiment, as illustrated in FIG. 3. the Postal Server subsystem 4 1 is physically 
comprised of at least one cryptographic module 52. at least one Postal Server 53 and at least one 
PostalX Server (PSX) 54. When the workload is increased, the number of each of these devices 
can be increased to accommodate the additional work. 

In one embodiment of the present invention, the cryptographic modules 52 are FIPS 1 40- 1 
certified hardware cards that include firmware to implement PSD functionality in a 
cryptographically secure way. The cryptographic modules are inserted into any of the servers in 
the Postal Server Infrastructure. The cryptographic modules are responsible for creating PSDs 
and manipulating PSD data to generate and verify digitally signed indicia." Since the PSD data 
is created and signed by a private key known only to the card, the PSD data may be stored 
externally to the cryptographic modules without compromising security. 

. In one embodiment of the present invention. Postal Server 53 is a standalone server 
process that provides secure connections to both the clients and the server administration utilities, 
providing both client authentication and connection management functionality to the system. 
Postal Server 53 also houses postal-specific services that require high levels of security, such as 
purchasing postage or printing indicia. Postal Server 53 is comprised of at least one server, and 
the number of servers increases when more clients need to be authenticated, are purchasing 
postage or are printing postage indicia. 

The growth in the number of servers of the Postal Server will not impact the performance 
of the system since the system design allows for scalability. The Postal Server is designed in 
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such a way that all of the business logic is processed in the servers and not in the database! By 
locating the transaction processing in the servers, increases in the number of transactions can be 
easily handled by adding additional servers. Also, since each transaction is stateless (the 
application does not remember the specific hardware device the last transaction utilized), 
multiple machines can be added to each subsystem in order to handle increased loads. In one 
embodiment, load balancing hardware and software techniques are used to distribute traffic 
among the multiple servers. 

In one embodiment of the present invention, PXS 54 is a standalone server process that 
provides trusted plain-text access to in-vault components. PXS 54 hosts postal-specific services 
that are protected from access external to the vault via a firewall. The PostalX Services provide 
business logic for postal functions such as device authorization and postage purchase/register 
manipulation. The PXS services require cryptographic modules to perform all functions because 
the PXS services are vital to the system's integrity and are protected by encryption. The PXS 
services can be located on one physical server or multiple machines depending on the number 
of postal-specific transactions. 

The growth in the number of servers of the PostalX Server will not impact the 
performance of the system since the system design allows for scalability in two ways, the 
PostalX Server is designed in such a way that all of the business logic is encapsulated in the 
servers, not in the database. By locating the transaction processing in the servers, increases in 
the number of transactions can be easily handled by adding additional servers. Also, since each 
transaction is stateless, multiple machines can be added to each subsystem in order to handle 
increased loads. In one embodiment, load balancing hardware and software techniques are used 
to distribute traffic among the multiple servers. 

.Referring back to FIG. 4, the Postal Database Management System 47 A manages access 
to the Postal section of the Database subsystem where USPS specific data such as meter and 
licensing information is stored. The Postal Database Management System is scalable and can 
be expanded to meet the needs of the Postal Server subsystem. The database schema design 
allows for the data to be partitioned across multiple physical databases. In one embodiment of 
the invention, the database is managed by relational database management software, such as MS 
SQL Server or the like. In one embodiment, the Postal Database Management System runs on 
two hardware servers. 

The Postal Database 47 is a secure database that stores all information for the Postal 
Server subsystem. The Postal portion of the Database subsystem contains the postal-specific 
information such as licensing, registration, and meter-specific data for all of the customers. 
Access to the Postal portion of the Database subsystem occurs through the Postal Server 
subsystem. Each piece of client software has a unique software serial number, which will be 
generated and kept in the database during product registration. 
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Provider subsystem 42B provides reporting and external communication functionality for 
the Postal information System. Preferably, the Provider subsystem is located on the PRVNET 
along with the Database Subsystem and communicates directly with the Database Subsystem 
when the Provider Subsystem services request Database subsystem information. As shown in 
FIG. 3, Provider Subsystem 42B includes Provider Server 55 and Provider Database 42. The 
Provider Subsystem 42B includes the following services: Central Metering License Services 
(CMLS), Central Meter Resetting Services (CMRS). Automated Clearing House (ACH) 
transactions. Credit Card services and Billing services. In one embodiment the Provider 
subsystem 42B runs on two hardware servers as shown in FIG. 4. 

The CMLS service forwards license applications to and processes requests from the 
CMLS in the USPS through a CMLS/CMRS communication link. The CMRS service provides 
meter movement and meter resetting information through the CMLS/CMRS communication link 
to the USPS Computerized Meter resetting infrastructure. The ACH Service submits ACH 
postage purchase requests through an ACH communication link to a USPS lockbox account at 
a bank. The Credit Card Service is invoked by the E-commerce services to authorize and capture 
funds from the customer's credit card account and transfer them to a designated merchant bank. 
The Billing Service provides bills through e-mail to customers based on selected billing plans. 
All of the Provider subsystem's communication with external devices is secure, since the 
communication is encrypted. 

The services included in the Provider subsystem 42B are classified as either services 
running across multiple servers or Singleton services. A Singleton service is a service where only 
one effective instance is executing at one time, so multiple operations of the service will not be 
operating at the same time. Preferably, the CMLS, CMRS and ACH services are all Singleton 
services and are not scalable because they transmit data in a specific format at specified times to 
external USPS or banking systems. The remaining services in the Provider subsystem (Credit 
Card and Billing services) are scalable and can be run on multiple servers. 

The Provider Database Management System 42A manages access to Ihe Provider section 
of the Database subsystem where Provider specific data such as Meter resetting records. Postage 
Value Download (PVD) information, batch status information and CMLS license information 
is stored. The PVD information is included in the log file that is sent to the USPS on a regular 
basis. The Provider Database Management Services are scalable and can be expanded to meet 
the needs of the Provider Server subsystem. The schema design allows for the data to be 
partitioned across multiple physical databases. In one embodiment, the Provider Database 
Management System runs on two hardware servers. 

The Provider Database 42 is a secure database that stores all information for the Provider 
Server subsystem. The Provider portion of the Database subsystem contains Provider subsystem 
specific data such as Meter resetting records. PVD information, batch status information and 
CMLS license information. 
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The E-commerce subsystem 46B. shown in FIG. 3, provides functionality for the Er 
commerce related services required by Customer Support personnel and system administrators. 
The Customer Support personnel and system administrators access the on-line postage system 
through the E-commerce subsystem. E-commerce subsystem 46B communicates with the 
Database subsystem through the Postal Server subsystem and preferably is connected to a Public 
Network. The E-Commerce subsystem also provides commerce-related services, such as 
payment processing, pricing plan support and billing, as well as customer care functionality and 
Lightweight Directory Access Protocol (LDAP) membership personalization services. 

LDAP is a protocol for accessing online directory services over the TCP/IP network 
protocol and can be used to access standalone LDAP directory services or directory services 
supporting the X.500 standard. It provides a standard way for Internet clients, applications and 
Web servers to access directory listings of large number of Internet users. 

E-Commerce subsystem 46B also includes a group of servers and databases including the 
Proxy Services 43. E-commerce Servers 44. E-commerce Database 46, Membership Database 
48. E-commerce Database Management System 46A. Membership Database Management 
System 48 A. and Credit Card Server 45. 

Proxy Services 43 provide Customer Support and authenticated access for administrators 
to the E-Commerce Servers. In one embodiment, the Proxy Services run on one hardware server. 
The E-commerce Services, such as payment processing, pricing plan support, billing, customer 
care functionality and LDAP membership services run on the E-commerce Servers 44. The 
number of the E-cpmmerce servers can easily be increased to meet the growing needs of the E- 
commerce subsystem. The growing number of servers will not impact the performance of the 
on-line postage system because the system design allows for scalability of the servers. 

E-commerce Database Management System 46 A manages access to E-commerce Database 
46 where commerce related information is stored, as shown in FIG. 4. E-Commerce Database 
46 includes information on non-postal commerce transactions, credit card validations, customer 
invoicing, etc. E-commerce Database Management System 46A is scalable and may easily be 
expanded to meet the needs of the system. If the number of E-commerce related transactions 
increase, the database schema design allows for the data to be partitioned across additional 
physical databases. The schema can be easily updated to add new devices and incorporate them 
into the Database subsystem. In one embodiment, the E-commerce Database Management 
System is resident on two hardware servers. The E-commerce portion of the Database subsystem 
includes specific data such as purchase transactions, pricing plans, billing information, and 
customer account information. 

Membership Database Management System 48A provides access to Membership database 
48. The Membership Database Management System manages access to the LDAP membership 
directory database that hosts specific customer information and customer membership data. The 
Membership Database contains all customer and internal user profile information, plus security 
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information for all internal system users. The Membership Database Management System is 
scalable and expands to meet the needs of the system. If the number of customer profile 
transactions increase, the database schema design allows for the data to be partitioned across 
additional physical databases. The schema can be easily updated to add new devices and 
incorporate them into the Database subsystem. In one embodiment, Membership Database 
Management System 48 A is resident on two hardware servers. The Membership portion of the 
Database subsystem includes specific customer profile information. 

The SSL Proxy server (part of Proxy 43) allows secure HTTP access from a web browser 
and is used by the system administrators to access the e-commerce subsystem. Web Server 56A 
is used to maintain the website, facilitate the customer support activities and distribute the client 
software to interested parties. Web Server 56A communicates with the clients 58 through the 
Internet 221 and the internal departments via the Intranet LAN 40A. The information for 
maintaining the website and tracking affiliate performance is located in Website Database 56. 
An Affiliate Database (not shown) stores client software versions, affiliate profiles and tracking 
codes and Advertising and Marketing tracking numbers. 

FIG. 5 illustrates more subsystems of the exemplary on-line postage system, namely, AMS 
servers 61 , Client Support Servers 62, Client Support Database Management System 62A. Client 
Support Database 62B, the Decision Support Services (DSS) Database Management System 63 A, 
DSS database 63, Staging Database Management System 66A and Staging Database 66, SMTP 
server 65, and Backup Services 65. 

SMTP server 65 runs the internal and external E-mail systems. The Staging Services 
subsystem coordinates aggregation of business data. Preferably, each night, all of the changes 
made in the Database subsystem in the last 24 hours are loaded into Staging Database 66. 
Staging Services Database Management System 66A manages access to Staging Database 66. 
After gathering changes in the databases. Staging Services Database Management System 66 A 
strips out all of the critical data such as credit card numbers and critical USPS specific 
information, and moves the changes to offline databases. Staging "Services Database 
Management System 66A is scalable and may be easily be expanded to meet the needs of the 
system. In one embodiment, the Staging Services Database Management System is resident on 
two hardware servers. 

Backup Services subsystem 64 provides the data backup for the Database subsystem. The 
first backup is the secondary Database Server, which is a live standby server that mirrors the 
primary Database server as described above. The second backup is a transaction log on the 
Postal Server that is stored (off-loaded) preferably every couple of minutes in a tape backup 
device, which allows the system administrators to reconstruct the system up to the last 
transactions if a database failure occurs. Finally, the entire Database subsystem is backed up 
every day and archived off premises to ensure that the data is available if the physical on-line VB1 
system suffers catastrophic failure. 
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The AMS subsystem 6 1 validates source and destination addresses against a USPS table 
to verify the mail is being sent to a recognized location. This service is utilized each time the 
user attempts to print postal indicia. The AMS system is used when a user enters a delivery 
address or a return address using the client software. The user does not need the address 
matching database on the user's local machine to verify the accuracy of the address. The client 
software connects to the Postage Server and uses a central address database obtained from the 
USPS to verify the accuracy of the address. If the address is incorrect, the client software 
provides the user with a prioritized list of addresses to match the correct address. Preferably, 
these choices are ranked in order according to the type of match. 

Since the printing of VBI indicia is the most common transaction in this system, this 
service is separated from other services in order to ensure the AMS does not create performance 
problems in the on-line VBI system. All of the services, except for the previously-mentioned 
Singleton services, are scalable and are modified to adjust to the number of transactions 
requested. AMS transactions increase substantially when more individuals utilize the system so 
the AMS transactions are scaled separately from the other transactions. Preferably, load 
balancing services are used to assist distributing the workload to the AMS servers. In one 
embodiment, the AMS Services run on two servers. 

The Client Support Services subsystem 58 of FIG. 3 is comprised of the client services 
that typically do not require secure transactions. Client Support Services subsystem 58 of FIG. 
3 includes the Client Support Servers 62, the Client Support Database Management System 62A, 
and the Client Support Database 62B, as shown in FIG 5. The services that execute on the Client 
Support Servers preferably include. Registration Services, Auto-Update Service, Printer Config 
Service, Postal Rate Info Service, and Printer DB Update Service. The Client Support Services 
are typically low in volume, however, the number of servers and the capacity of the database can 
be readily scaled according to the workload of the system. In one embodiment, the Client 
Support Services are run on two servers. 

The Registration Services includes supported payment type and billing plan information. 
The Auto-Update Service updates the client software when new client software versions are 
released. The Printer Configuration Services assist in setting up the printer to guarantee that the 
indicia printed meets USPS criteria. The Rates Service calculates the correct rate for the client 
based on class, destination and weight. The Printer Database Service updates the on-line VBI 
system with any new printer or printing information. 

The Client Support Database Management System 62A of FIG. 5 manages access to the 
Client Support Database (CSD) 62B. The processing requirements of CSD 62B are low, but 
availability of the CSD is vital, so multiple physical servers running in a cluster are necessary to 
ensure this availability. In one embodiment, the Client Support Database Management System 
runs on two hardware servers connected to one external CSD storage devices. 
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• CSD 62B is an external storage component for the Client Support Services subsystem 58. 
Transactions executing on the Client Support Servers requiring storage utilize the CSD 62B. The 
data storage size requirements for CSD 62B are relatively low. As the number of Client Support 
Services transactions grows, the database will grow. The database schema design allows for the 
data to be partitioned across multiple physical databases. 

The Decision Support System (DSS) includes the DSS Database Management System 63 A 
and the DSS Database 63. as shown in FIG. 5. The DSS allows restricted (read-only, time 
delayed) access to the postal data. The DSS Database Management System 63 A controls access 
to DSS Database 63. In one embodiment, the DSS various accounting tasks for the Staging 
Services Database Management System. As the processing requirements of the DSS vary, the 
availability of the DSS subsystem may also vary. Therefore, DSS Database Management System 
63A runs in a cluster on multiple servers to ensure DSS availability. DSS Database 63 is 
preferably offline and includes most or all of the user's profile information. Preferably, 
Staging Database 66 receives a nightly automatic delta update, which gathers all of the data that 
hais changed over the previous 24 hours. The data that has changed over the last 24 hours is 
filtered according to data access guidelines. The data is transferred from Staging Database 66 
to DSS Database 63. The update is a one-way update only. After the data has been moved, it is 
available for reading and queries for the Marketing, Finance, Customer Support and Management 
departments. DSS Database 63 contains user profile information, including historical transaction 
information. As the number of DSS transactions grows, DSS Database 63 grows to 
accommodate the additional transactions. A database schema design allows for the data to be 
partitioned across multiple physical databases. 

The on-line VBI system is designed to prevent unauthorized electronic access to the 
Database subsystem. FIG. 6 illustrates the hardware components that provide the security to the 
Database subsystem. The first line of defense is firewall 40. which prevents unauthorized access 
to the servers. Firewall 40 is connected to Public Network 73 and Private Network 72. Router 
7 1 A and switch 7 1 B direct data from Internet 22 1 to firewall 40 and together, serve as the portal 
from the Internet 221 to the on-line VBI system servers. Stack Hubs 74 A and 74B interface 
Public Network 73 and Private Network 72 to the firewall 40 respectively. Connected to 

Public Network 73 through Stack Hub 74 A are Postal Server subsystem 41 and E-commerce 
subsystem 46B. Cryptographic module 52 is connected to Postal Server subsystem 41; 
Connected to Private Network 72 through Stack Hub 74B are Provider subsystem 42B, a Back 
up database 76 that mirrors information as data is stored, and the primary database 51. A tape 
back up system 75 is connected to primary database 5 1 for periodically backing up the database. 

The second line of defense is the protection of the Database subsystem by the Postal 
Server Subsystem. The Public Network 73 includes the E-commerce subsystem 46B and the 
Postal Server subsystem 41 . The Private Network 72 includes the Database subsystem 51 and 
the Provider subsystem 42B. The firewall 40 is configured to deny access to the Private Network 
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72 by unauthorized users. The only access to the Private Network 72 (specifically the Database 
subsystem 5 1) by external users is through the firewall 40. In the Public Network 73, the Postal 
Server subsystem 41 controls access to the Private Network 72. In one embodiment dual Cisco 
PIX 520 hardware firewalls including two independent Network Interface Cards (NIC) are used 
for firewall 40. 

The Postal Server subsystem 4 1 executes an authentication algorithm for dynamically and 
asynchronously verifying passwords to ensure that only properly authenticated users are allowed 
access to the Database subsystem 5 1 . The Postal Server subsystem 4 1 runs software built around 
the authentication algorithm, and thus acts as a gatekeeper to prohibit unauthorized users from 
entering the Postal Server subsystem 4 land the Database subsystem 51. Preferably, only the 
custom made software built around the authentication algorithm runs on the Postal Server 
subsystem 41 for security purposes. 

Information in the Database subsystem 51 can be retrieved or altered only by accessing 
the database through the Postal Server subsystem 41. However, the authentication algorithm 
executed by the Postal Server subsystem 41 prevents unauthorized access to the Database 
subsystem 51 resulting in secure information in the Database subsystem. Preferably, the E- 
Commerce subsystem 46B. also, only communicates with the Database subsystem 51 through 
the Postal Server subsystem 41 . The Provider subsystem 42B communicates with the Database 
subsystem 51 directly through the Private Network 72. 

The communications between the cryptographic modules and the Postal Server subsystem 
are secured and authenticated through a security protocol. This protocol includes two distinct 
states. The first state is the registration/authorization state that is a one-time only (per user) state 
in which the client software and each cryptographic module preferably cooperate in establishing 
two shared secrets: a user secret (e.g., a password) and a hashed message authentication key 
(HMK). The second state is the operational state that follows a successful completion of the 
registration/authorization state. The operational state is the normal transaction state for client 
software and each cryptographic module. 

In the first part of the authorization state, the cryptographic module should authenticate 
itself to the client software by a challenge-response protocol. The cryptographic module and the 
client software share a public cryptography key pair that preestablishes a condition of trust. The 
cryptographic module keeps the private key. and a copy of the corresponding public key is 
embedded in the client software. The client software generates a random number as a challenge 
message and sends it as cleartext to the cryptographic module. The cryptographic module 
, responds by signing the received challenge with its private key and returns the resulting 
ciphertext to the client software. Using the public key, the client software signs the challenge 
message it had sent and compares it to the cryptographic module's signature of the same 
challenge message received from the cryptographic module. If the signed messages compare, the 
cryptographic module is authenticated. 
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Once the cryptographic module is authenticated the client software generates a HMK arid 
prompts the user for a password. The client software then encrypts both the HMK and the user's 
password with its public Key ? and sends this ciphertext to the cryptographic module. The user's 
name is also sent in clear text to the Postal Server. The cryptographic module uses its private 
RSA key to decrypt the password and the HMK. The PSD now has both the HMK and the user's 
password. This information is associated with the user's name and is cryptographically stored 
in the database. 

With the success of the authorization state, the client software not only trusts the 
cryptographic module, but also shares a common HMK with the cryptographic module, which 
it uses to sign and challenge each successive message. FIG. 7 illustrates client software and 
cryptographic module (PSD) 52 communication during the operational state. Client software 53 
sends a new challenge message to cryptographic module 52, as shown by 8 1 . The cryptographic 
module response by signing the challenge with the shared HMK and then sends this ciphertext 
back to the client software, along with its own challenge, as shown by 82. Client software 53 
compares the ciphertext of the challenge it originally sent to the cryptographic module, and also 
signs the message received from the cryptographic module. If the signatures compare, the client 
software trusts the cryptographic module for this transaction. Client software 53 uses the 
cryptographic module challenge message to authenticate itself to cryptographic module 52. 

Client software 53 now sends the signed challenge that cryptographic module 52 had sent, 
with the addition of the client software local record of the user's ascending and descending 
registers, as shown by 83. (The ascending register records the amount of postage that is 
dispensed or printed on each transaction and the descending register records the value or amount 
of postage that may be dispensed and decreases from an original or charged amount as postage 
is printed.) 

The client software also sends a cleartext of the challenge and the transaction message, 
as shown by 84. Next, the client software sends a Hash Message Authentication Code (HMAC) 
for all of the data sent in 83 and 84, using shared HMK, as shown by 85. "HMAC is a digital 
signature created using a hash algorithm with an arbitrary message and the secret key (HMK). 
The client software sends the original arbitrary message and the HMAC to Postal Server via the 
network. HMK. as the HMAC Key, stays in the client software 53. The cryptographic module 
52 already has a copy of HMK because it was sent over to Postal Server during the user 
registration process. In another embodiment. Data Encryption Standard Message Authentication 
Code (DES MAC) is used instead of HMAC. 

Once 83. 84. and 85 are received by cryptographic module 52. the cryptographic module 
verifies that the client software's response is identical with its local calculation of the same. This 
ensures that the message was not tampered with during transit. The cryptographic module then 
verifies the challenge it received from the client software, in fact, the challenge the cryptographic 
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module had sent to the client software. This authenticates the client software to the cryptographic 
module. 

Next, the cryptographic module verifies that the record of the ascending and descending 
registers that the client software sent is identical to the cryptographic module's local record of 
the same registers. This ensures that the client software's record of postage available and postage 
printed matches the cryptographic module's record. Upon a successful verification of the above, 
the cryptographic module performs the transaction (as shown by 86) and then sends a new 
challenge to the client software, for the next round of authentication. 

in one embodiment, the checkpoint concept operates in the following manner. Each 
module retains in its memory records relating to the three most recent transactions that modified 
a PSD package. For example, these records include the following data items: 

PSD meter ID 

Transaction type 

* Transaction amount 
PSD AR value 
PSD DR value 

* Module serial number 

Date/time stamp (for record replay detection) 
Module total amount reset 
Module total amount printed 

* Module total amount refunded 

The record of the most recent transaction is also output to the database and is protected 
from modification by a DES MAC generated using the key HMK_chkpt. When a PSD 
transaction is to be performed, the checkpoint record from the database is input along with the 
PSD package for the meter. Preferably, all IBIP commands to the modules are handled by the 
function sdxdispatch. Within dispatch, the checkpoint record from the database is compared 
with the most recent checkpoint record stored in the module memory. If they match, it is highly 
likely that no switchover of the database (resulting in lost records) has occurred. The module 
then trusts that the PSD package is up to date and allows the IBIP command to be executed. 
When the IBIP command is completed, the checkpoint record is updated and output to the server 
for database storage along with the updated PSD package. 

In the case of create indicium commands, the server first confirms that the updated 
records have been stored on the database before the indicium is transmitted to the client for 
printing. (Server transaction logs keep a record of all messages sent to clients.) In the case of 
the provider commanding postage value download or create refund indicium, the server reports 
an error if the database fails to correctly store the updated checkpoint record and PSD package. 

If the comparison of internal and external checkpoint records does not match, the module 
will not execute the IBIP command and an error code is returned to the server. The server then 



-21- 



WO 01/29778 



PCT/USOO/41201 



sends a command called "Auto-Recover module Checkpoint" to the module. This command 
allows a controlled rollback to an older checkpoint if the external checkpoint record matches 
either of the two older checkpoint records stored in the module internal memory. The module 
updates its internal records using data from the accepted checkpoint and outputs audit log records 
to document the more recent PSD transactions that are to be discarded (transactions more recent 
than the accepted checkpoint). If none of the module's internal checkpoint records match the 
record input from the database, auto-recovery fails and an error is returned to the server. This 
module is now effectively inhibited from processing PSD packages and operator intervention, 
using the disaster recovery process, is needed to return it to operation. 

In summary, the checkpoint validation and auto-recovery processes allows the module 
to verify that the database providing records is up to date and to automatically re-synchronize the 
module with the database if possible. 

The next level of security is achieved by encrypting all communications between the 
client and the Postal Server subsystem. The encryption-decryption function is employed using 
an encryption algorithm, for example. RSA public key encryption algorithm. The client has a 
unique public and private key pair generated by the Postal Server subsystem that is embedded 
in the client software and these keys are used for encrypting/decrypting communications between 
the client and the Postal Server subsystem. 

The user secret key (HMK) is further encrypted by using the public key of the 
cryptographic module 52 shown in FIGs. 3 and 6. HMK gets encrypted with its PSD encryption 
keys (3DES) by the cryptographic module 52. Then, the encrypted HMK is stored in the 
Database subsystem 5 1 along with other PSD information. In one embodiment the cryptographic 
module 52 is embedded in the hardware where Postal Server 41 is running. The Postal Server 
41 is connected to the Public Network 73. The cryptographic module 52 is used to decrypt the 
encrypted secret key of the user that is stored in the Database subsystem. The user authenticates 
itself with every request by digitally signing every request using the secret HMK. The 
cryptographic module 52 verifies the user signature using its copy of HMK stored in the Database 
subsystem 51. 

The interaction between the cryptographic modules and the Database subsystem provides 
two more levels of security. The first level of security is the cryptographic module verifying last 
transactions with the Database subsystem and the second level of security is the cryptographic 
protection of internal storage registers in the cryptographic modules. In one embodiment, the 
cryptographic modules store up to five transactions in a respective internal register. The number 
of transactions compared in the verification process system may be set by the system 
administrator. A verification process compares a predetermined number of last 

transactions. The database subsystem stores a table that preferably includes the cryptographic 

module(s) present in the Postal Server subsystem 41 , the cryptographic module serial numbers. 

the time of the iast transaction the cryptographic module processed, the date of the last 
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transaction the cryptographic module processed and the value of the last transaction the 
cryptographic module processed. Other values related to a transaction and a cryptographic 
module can also be saved for verification purposes. An example of the cryptographic module 
table, where the Postal Server subsystem has four cryptographic modules, is illustrated below. 



Cryptographic 


Cryptographic 


Transaction Time 


Transaction Date 


Transaction 


module 


module Serial. # 






Value 


1 


34576590 


11:53 PM 


08/06/99 


$ 0.33 


2 


34582152 


07:30 AM 


08/05/99 


$ 7.55 


3 


34593104 


03:00 PM 


08/02/99 


$3.45 


4 


34593992 


11:22 AM 


08/03/99 


$5.78 



When a cryptographic module 52 loads a new PSD out of the Database subsystem 5 1 
(performing a transaction), the cryptographic module's register, containing the last transaction's 
time, date and value, is verified against that cryptographic module's entry in the Database 
subsystem's cryptographic module table. The time, date or value for each transaction stored in 
each cryptographic module should match the corresponding values for the respective 
cryptographic module stored in the database for the verification process to be successfully 
completed. 

Cryptographic modules do not load new PSD transactions unless the verification process 
has been successfully completed. If any of the compared values is found to be different, 
preferably the whole system shuts down until authorized personnel can investigate the situation. 
In one embodiment, the threshold in the system is adjustable so that the system may be set to shut 
down if one, two or more cryptographic modules fail the verification process. The registers of 
each cryptographic module are cryptographically protected against any unauthorized access of 
the database. This provides another level of security. 

Additionally, the Database subsystem for the on-line VBI system is designed to allow for 
easy recovery from minor or major failures. A dual redundancy (backup) database server is 
connected to the on-line VBI system to mitigate the damage caused by the failure of the primary 
database server. In one embodiment, a backup database automatically carries all of the 
responsibilities of the primary Database server until the primary database server is repaired. 
Preferably, the Database subsystem is monitored 24 hours a day to immediately recognize 
problems. 

In order to maintain data protection in case of media failure, software error (system 
crash), or power outage, a cryptographically protected transaction log on the primary database 
server is off-loaded to tape periodically throughout the day. The transaction log does not need 
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to be a real time backup, but the number of transactions lost would be minimized since the 
backup occurs periodically throughout the day. 

In addition, on a daily basis, the data in the Database subsystem is backed up to a backup 
system, such as a tape backup system, and stored off premises in a secure facility. After the daily 
backup is completed, a transaction log of the primary database server is backed up to a backup 
system, such as a tape drive, and stored off premises in a secure facility with the data backup of 
the database subsystem. 

Minor failures of the primary database subsystem, for example media failure, power 
outages and software error, are easily handled in the on-line VBI system. In one embodiment, 
to change from the backup Database server in the case of the failure of the primary database 
server, the system administrator changes the IP address to that of the backup database server and 
makes the primary database server the backup database server. Next, the system administrator 
resets the database server and loads the latest encrypted transaction log. The system 
administrator uses a cryptographic module to decrypt the transaction log arid the decrypted 
information from the transaction log is loaded into the Database subsystem. 

In the case of catastrophic failure, e.g. loss of the database and the cryptographic modules, 
as long as the transaction log and daily backups are stored off premises, the data can be 
recovered. The data is recovered by storing a cryptographic module in an off-site secure location 
close to the stored transaction logs, daily backups and backup on-line VBI system. The backup 
of the system is combined with the transaction log to reinstate all of the accounts contained in 
the transaction log. 

In one embodiment of the invention, the daily backups and the transaction logs are 
downloaded to a tape. If a catastrophic failure occurs, then the latest daily backup tape is loaded 
onto the backup on-line VBI system. Next, the cryptographic module decrypts the backup tape 
and the decrypted information from the backup tape is loaded into the Database subsystem. 
Then, the cryptographic module decrypts the transaction log and the decrypted information from 
the transaction log is loaded into the Database subsystem. 

Preferably, the verification process that the cryptographic module performs with the 
cryptographic module table in the Database subsystem is not performed, because the new 
cryptographic module does not have any record of previous transactions, since it was sitting in 
a vault off premises from the on-line VBI system. The transaction log is cryptographically 
protected so that unauthorized personnel cannot manipulate the data. 

The cryptographic module is able to trust the cryptographically protected data of the 
transaction log because cryptographic module has knowledge of the format of the transaction log. 
As a result, the entire database is recovered and recreated by at least one cryptographic module 
using the last transaction log and the backup data. 

It will be recognized by those skilled in the art that various modifications may be made 
to the illustrated and other embodiments of the invention described above, without departing 
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from the broad inventive scope thereof. It will be Understood therefore that the invention is not 
limited to the particular embodiments or arrangements disclosed, but is rather intended to cover 
any changes, adaptations or modifications which are within the scope and spirit of the invention 
as defined by the appended claims. 
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WHAT IS CLAIMED IS: 

1 . A scalable on-line system for printing value bearing items (VBI) comprising: 
a client system for interfacing with one or more users; and 

a scalable server system capable of communicating with the client system over a 

communication network comprising: 

a database remote from the users including information about the users; 

a stateless cryptographic module for authenticating the one or more users; arid 

a plurality of security device transaction data stored in the database for ensuring 

authenticity of the one or more users, wherein each security device transaction data can be 

processed in the server system in a stateless manner. 

2. The system of claim 1 , wherein each security device transaction data is related to 

a user. 

3. The system of claim 2, wherein the security device transaction data related to a 
user is loaded into the cryptographic module when the user requests to operate on a value bearing 
item. 

4. The system of claim 3, wherein the security device transaction data related to a 
user is updated and returned to the database. 

5. The system of claim l t further comprising at least one more stateless 
cryptographic module, wherein each cryptographic module is capable of processing any of the 
plurality of security device transaction data. 

6. The system of claim 5. wherein a user can be authenticated using any of the 
cryptographic modules. 

7. The system of claim 5, further comprising computer executable code for load- 
balancing to route user requests to the at least one more cryptographic module. 

8. The system of claim 5, further comprising computer executable code for load- 
balancing to distribute traffic among the multiple cryptographic modules. 

9. The system of claim i, wherein the cryptographic module is capable of 
authenticating any of the one or more users. 
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10. The system of claim 1, wherein the database is partitioned across a plurality of 
physical databases. 

1 1 . The system of claim 1 , wherein the cryptographic module performs cryptographic 
function on a transaction related to the database. 

12. The system of claim 1 . further comprising computer executable code for password 
authentication to prevent unauthorized access to the database. 

1 3 . The system of claim 1 , wherein the database stores a first set of one or more last 
database transactions and the cryptographic module stores a second set of one or more last 
database transactions for comparison with the first set of one or mpre last database transactions 
stored in the database to verify each database transaction. 

14. The system of claim 13, wherein the cryptographic module prevents further 
database transactions if the second set of one or more last transaction stored in the cryptographic 
module does not compare with the first set of one or more last transaction stored in the database. 

15. The system of claim 1, wherein the cryptographic module includes a data 
validation subsystem for allowing the module to verify that data is up to date and an auto- 
recovery subsystem for automatically re-synchronize the module with the data. 

16. The system of claim 1, wherein the cryptographic module includes a computer 
executable code for preventing unauthorized modification of data. 

17. The system of claim 1 . wherein the cryptographic module includes.a computer 
executable code for ensuring the proper operation of cryptographic security and VBI related 
meter functions. 

1 8. The system of claim 1 , wherein the cryptographic module includes a computer 
executable code for supporting multiple concurrent users. 

1 9. The system of claim 1 , wherein the database includes one or more indicium data 
elements, data for account maintenance, and data for revenue protection. 

20. The system of claim 1 , wherein the database includes virtual meter information. 

21 . The system of claim 1 , wherein the database includes descending register data. 
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22. The system of claim 1, wherein the value bearing item is a mail piece, 

23 . The system of claim 22, wherein the postal indicium comprises a digital signature. 

24. The system of claim 1 , wherein the cryptographic module performs cryptographic 
function on validation information according to a user request for printing a VBI. 

25. The system of claim 1 , wherein the cryptographic module generates data sufficient 
to print a postal indicium in compliance with postal service regulation on a mail piece. 

26. The system of claim 1 , wherein the value bearing item is a ticket. 

27. The system of claim 1, wherein a bar code is printed on the value bearing item. 

28. The system of claim 1 , wherein the value bearing item is a coupon. 

29. The system of claim 1 , wherein the value bearing item is currency. 

30. The system of claim 1 , wherein the value bearing item is a voucher. 

31. The system of claim 1 , wherein the value bearing item is a traveler's check. 

32. The system of claim 1 , wherein each security device transaction data includes one 
or more of an ascending register value, a descending register value, a respective cryptographic 
module ID, an indicium key certificate serial number, a licensing ZIP code, a key token for an 
indicium signing key, user secrets, a key for encrypting user secrets, date and time of last 
transaction, last challenge received from a respective client subsystem, an operational state of the 
respective module, expiration dates for keys, and a passphrase repetition list. 

33 . The system of claim 1 , wherein each security device transaction data includes one 
or more of a private key, a public key, and a public key certificate, wherein the private key is used 
to sign module status responses and a VBI which, in conjunction with a public key certificate, 
demonstrates that the module and the VBI are authentic. : 

34. The system of claim 1 , wherein the cryptographic module is capable of performing 
one or more of Rivest, Shamir and Adleman (RSA) public key encryption, DES, Triple-DES, 
DSA signature, SHA-1, and Pseudo-random number generation algorithms. 
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35. The system of claim 1, wherein the server system further comprises one or more 
of a postal server subsystem, a provider server subsystem, an e-commerce subsystem, a staging 
subsystem, a client support subsystem, a decision support subsystem, a SMTP subsystem, an 
address matching service subsystem, a SSL proxy server subsystem, and a web server subsystem. 

36. The system of claim 1, wherein the database includes one or more of a postal 
database, a provider database, an e-commerce database, and a membership database. 

37. The system of claim I, further comprising an address matching server for 
verifying a correct address specified by a user. 

38. The system of claim 1 . further comprising a printer driver database for storing 
supported printer driver information. 

39. A method for printing value-bearing items (VBI) via a communication network 
including a client system, and a scalable server system, the method comprising the steps oft- 
interfacing with one or more users via the client system; 
communicating with the client system over the communication network; 
storing user information in a database accessible through the network: 
authenticating the one or more users using a scalable cryptographic module; and 
storing in the database a plurality of security device transaction data for ensuring 

authenticity of the one or more users, wherein each security device transaction data can be 
processed in the server system in a stateless manner. 

'i ■ • 

40. The method of claim 39, wherein each security device transaction data is related 
to a user. 

4 1 . The method of claim 40. further comprising the step of loading the security device 
transaction data related to a user into the cryptographic module when the user requests to operate 
on a value bearing item. 

42. The method of claim 41, further comprising the steps of updating and returning 
the security device transaction data related to a user to the database. 

43. The method of claim 39, further comprising the step of adding at least one more 
stateless cryptographic module, wherein each cryptographic module is capable of processing any 
of the plurality of security device transaction data. 
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44. The method of claim 39, further comprising the step ofauthenticating a user usm^ 
any of the cryptographic modules. 

45. The method of claim 43, further comprising the step of load-balancing to route 
user requests to the at least one more cryptographic module. 

46. The method of claim 43, further comprising the step of load-balancing to 
distribute traffic among the multiple cryptographic modules. 

47. The method of claim 39, further comprising the step of the authenticating any of 
the one or more users using the cryptographic module. 

48. The system of claim 1, further comprising the step of partitioning the database 
across a plurality of physical databases. 

49. The method of claim 39, further comprising the step of encrypting database 
transactions using the cryptographic module. 

50. The method of claim 39, further comprising the steps of verifying a user 
password before granting access to the database. 

5 1 . The method of claim 39, further comprising the steps of 
storing one or more last database transactions in the database; 

storing one or more last database transactions in the cryptographic module; and 
comparing the one or more last database transactions stored in the database with the one 

or more last database transactions stored in the cryptographic module to verify each database 

transaction. 

52. The method of claim 39, further comprising the step of encrypting transactions 
related to the database using the cryptographic module. 

53. The method of claim 39, further comprising the steps of storing one or more last 
database transactions in the database, storing one or more last database transactions in the 
cryptographic module for comparison with the one or mbre last database transactions stored in 
the database to verify each database transaction. 

54. The method of claim 53, further comprising the step of preventing further database 
transactions if the one or more last transaction stored in the cryptographic module does not 
compare with the one or more last transaction stored in the database. 
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55 . The method of claim 39, further comprising the steps of preventing unauthorized 
modification of data using the cryptographic module. 

56. The method of claim 39, further comprising the steps of verifying that the 
database is up to date. 

57. The method of claim 39. further comprising the steps of automatically re- 
synchronizing the cryptographic module with the database. 

58. The method of claim 39, further comprising the step of ensuring the proper 
operation of cryptographic security and VBI related meter functions. 

59. The method of claim 39. further comprising the steps of supporting multiple 
concurrent operators. 

60. The method of claim 39,further comprising the steps of: 

storing information about a number of last transactions in a respective internal 
register of each of the one or more cryptographic devices; 

storing a table including the information about a last transaction in the database; 

comparing the information saved in the respective device with the respective 
information saved in the database; and 

loading a new transaction data if the respective information stored in the device 
compares with the respective information stored in the database. 

61. The method of claim 39, further comprising the step of storing data for creating 
one or more indicium, account maintenance, and revenue protection. 

62. The method of claim 39, further comprising the step of printing a mail piece. 

63. The method of claim 62, wherein the mail piece includes a digital signature. 

64. The method of claim 62, wherein the mail piece includes a postage amount. 

65. The method of claim 62, wherein the mail piece includes an ascending register of 
used postage and descending register of available postage. 



66. The method of claim 50, further comprising the step of printing a ticket. 
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67. The method of claim 39, further comprising the step of printing a bar code. 

68. The method of claim 39, further comprising the step of printing a coupon: 

69. The method of claim 39, further comprising the step of printing currency. 

70. The method of claim 39, further comprising the step of printing a voucher. 

71. The method of claim 39, further comprising the step of printing a traveler's check. 

72. The method of claim 39, wherein the security device transaction data includes an 
ascending register value, a descending register value, a respective cryptographic device ID, an 
indicium key certificate serial number, a licensing ZIP code, a key token for an indicium signing 
key, user secrets, akey for encrypting user secrets, date and time of last transaction* last challenge 
received from a respective client subsystem, an operational state of the respective device, 
expiration dates for keys, and a passphrase repetition list. 

73 . The method of claim 39, further comprising the step of performing one or more 
of Rivest, Shamir and Adleman (RSA) public key encryption, DES, Triple-DES, DS A signature, 
SHA-1, and Pseudo-random number generation algorithms using each of the cryptographic 
devices. 

74. The method of claim 39, further comprising the step keeping track of user 
accesses to a vendor website using a website database. 

75. The method of claim 39, further comprising the step of storing postal transaction 
data, financial transaction data, customer marketing information, commerce product information, 
meter license information, meter resets, meter history, and meter movement information in an 
offline database. 

76. The method of claim 39, further comprising the step of storing customer 
information, financial transactions, and information for marketing queries in a data warehouse 
database. 

77. The method of claim 39, further comprising the steps of authorizing and capturing 
funds from a customer's account and transferring the funds to a vendor's account using an e- 
commerce server. 
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78. The method of claim 39, further comprising the step of verifying a correct address 
specified using a user using an address matching server. 

79. The method of claim 39, further comprising the step of storing supported printer 
driver information in a printer driver database. 
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